On the heels of a ransomware attack on the MongoDB, which hit thousands of MongoDB databases accessible on the Web, thousands of users of Elasticsearch now find themselves under attack.
Based on a thread in the public Elasticsearch support forum, the attack on poorly secured clusters began last week:
Today I found that all indices on our Test ES cluster was removed and one new index “warning” was created there.
And I found following text from the raw index data:
SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS..
MongoDB administrators are about to be tought a hard lesson in database management practices, as the number of hackers that are now involved with DB hijacking attempts has gone from one to three, and more are expected to join in the upcoming days.
Anyone met same attack?
The attackers weren’t bluffing, and the attack on Elasticsearch is mirroring the nightmare many MongoDB users recently suffered.
As this story, Over 28,000 weak MongoDB databases are currently being held ransom by hackers, in International Business Times details, how the MongoDB attacks spiked from 12,000 to more than 27,000 in one day.
The messages, as quoted in the same story, closely mimic the message above posted by the first known victim of the Elasticsearch attack:
“Your database has been pwned because it is publically accessible at port 27017 with no authentication (wtf were you thinking?). Your data has been dumped (with data types preserved), and is easily restoreable [sic].
“To get your data back, email the supplied email after sending 0.15BTC to the supplied Bitcoin wallet, do this quickly as after 72 hours your data will be erased (if an email is not sent by then). We will get back to you within 2 days. All of your data will be restored to you upon payment.”
The Elasticsearch server-side ransomware attack is scaling as the MongoDB attack did, according to Niall Merrigan who has been tracking the attack numbers on Twitter. He says there are close to 4,000 compromised Elasticsearch servers – and the number is growing.
It doesn’t take a data scientist to connect the dots and draw a pattern: Server-side ransomware attacks on cloud systems are here to stay, and they’re potentially devastating. Make sure your systems aren’t accessible over the public cloud and you’ll take a big step to avoid becoming one of those statistics.
Elasticsearch is offering some good advice to its users here, as well.